GDPR - Failure to Report a Serious Breach
Hot on the heels of Equifax, here we have yet another delayed report of a serious data breach which occurred in October 2016, courtesy of Uber, that exposed the personal information of about 57 million accounts which included names, email addresses and mobile phone numbers of Uber users around the world.
Rather than disclosing the breach at the time, Uber paid hackers $100,000 to keep the breach secret and promise to delete the data.
Uber has a history of failing to protect driver and passenger data. Hackers previously stole information about Uber drivers in 2014.
For organisations that operate in the EU such as Uber, or process the personal data of EU citizens, failure to report such a breach from next May when the General Data Protection Regulation (GDPR) comes in to force will have even more serious consequences than the current Data Protection Act.
From 25th May 2018, GDPR requires that:
A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows you to provide information in phases.
If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay.
Failing to notify a breach when required to do so can result in a significant fine up to 10 million Euros or 2 per cent of your global turnover.
Uber reported turnover for 2016 at $6.5 billion!
In a recent survey, The Information Commissioners Office (ICO) found that most UK citizens don’t trust organisations with their data. The ICO research found that only one fifth of the UK public (20%) have trust and confidence in companies and organisations storing their personal information.
Steve Wood, Deputy Commissioner said:
“As personal information becomes the currency by which society does business, organisations need to start making people’s data protection rights a priority. Putting data protection at the centre of digital businesses strategies is the key to improving trust and digital growth.”
GDPR is only six months away. Now is the time to ensure that your business is compliant with the new regulation and that your staff are fully trained in readiness.
Those that can engender the most trust from their customers will be the most competitive and successful in the years to come.
Remember - Personal Data is the new Oil. Don’t set fire to it!